Rekeying a Linux System Device

If you encrypted a Linux system device (such as /root, swap, or /home) with the htroot encrypt command, you need to rekey that system device with the htroot rekey command.

Important: This procedure applies to Linux system devices only. If you want to rekey a Linux data drive, see Rekeying a Disk Using the webGUI or Rekeying a Disk using the CLI. If you use this procedure to rekey a data drive, DataControl will treat the data drive as a system device and all future rekey tasks will require you to reboot the device.

During this procedure, the VM will need to be rebooted to start the rekey process. If you have enabled Online Encryption for this VM, the VM will come back online immediately and the Policy Agent will rekey the system devices as a background process. In this case, users can continue to access the data while it is being rekeyed.

If Online Encryption is not enabled, the VM will remain inaccessible for normal operations until the rekey process completes.

For more information about Online Encryption, see Linux Online Encryption Prerequisites and Considerations.

Procedure 

1. Log into the VM as root.

2. If you want to check the available disks on this VM, enter the hcl status command. The Registered Devices section shows all devices that have been encrypted on the VM, with the short form of the disk name in the first column. You will need this short name in order to rekey the device.

   Example

   # hcl status
   
   Summary
   --------------------------------------------------------------------------------
   KeyControl: sdkc:443
   KeyControl list: sdkc:443
   Status: Connected
   Last heartbeat: Tue Jul 31 12:06:22 2018 (successful)
   AES_NI: enabled
   Certificate Expiration: Sep 11 22:16:13 2020 GMT
   HTCRYPT: Not Installed
   
   Registered Devices
   --------------------------------------------------------------------------------
   Disk Name          Cipher       Status                   Clear
   --------------------------------------------------------------------------------
   sda3               AES-XTS-512  Attached                 /dev/mapper/clear_D4044351-4C2C-4582-8935-479B5238B23A (swap)
    '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
   sda2               AES-XTS-512  Attached                 /dev/mapper/clear_htroot (/)
    '--> auto_attach=ENABLED, attach_handler=DEFAULT, detach_handler=DEFAULT
   
   Available Devices
   --------------------------------------------------------------------------------
   Disk Name            Device Node                      Size (in MB)
   --------------------------------------------------------------------------------
   sdc2                 /dev/sdc2                        119
   sdc1                 /dev/sdc1                        118
   
   Other Devices
   --------------------------------------------------------------------------------
   Disk Name            Device Node                      Status
   --------------------------------------------------------------------------------
   sda1                 /dev/sda1                        Mounted (/boot)
   sdd                  /dev/sdd                         LVM (vg-sdd)

3. Enter the htroot rekey <diskname1,diskname2,... | -a> command, where each diskname is the short form of the disk name. (For example, sda2 instead of /dev/sda2.) To specify multiple disks, use a comma-seperated list. To rekey all availabl e system devices, specify -a instead of a list of disk names. (If you specify -a, DataControl only rekeys the system devices. It does not rekey the data devices.)

   For example:

   # htroot rekey sda2,sda3
   
   Setting up system for root device rekey.
   This operation may take a long time
   
   Do you want to proceed? (y/N) y
   The system has been updated to rekey the Linux root device/s during next boot; please reboot the system now
   Do you want to reboot the system now? (y/N) y

4. Confirm the server reboot to continue. When the server has rebooted, it authenticates itself with KeyControl to get the required encryption keys and then starts the rekey process. The time required to rekey the devices depends on their size and the type of storage you have.

   • If you have enabled Online Encryption for this VM, the VM reboots immediately and the Policy Agent rekeys the devices as a background process. In this case, you can check the rekey status at any time using the hcl status command.
   • If Online Encryption is not enabled, the VM remains offline until the rekey process completes. In this case, you can see the rekey progress on the VM console through vSphere, Azure, or AWS.